Bug Tracker

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#13074 closed bug (notabug)

html("<div onclick='xyz'>x</div>") call with event on server Internet Explorer causes security error

Reported by: jiongmai@… Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.8.3
Keywords: Cc:
Blocked by: Blocking:

Description

When I run $("#Item").html("<div onclick='xyz'>x</div>") it causes a popup error

Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration. about:blank

It offers to add about:blank to the Trusted sites zone. If added, the error no longer appears.

This error does not cause the script to fail. The script resumes and works perfectly, and the error doesn't appear even if ran again until next page reload.

I have tested this on a server 2003 IE8 and server 2008 IE9 and they both show this behavior. This appears to affect older versions of jquery as well.

Change History (5)

comment:1 Changed 7 years ago by jiongmai@…

Here is an example code -- http://jsfiddle.net/2BBq6/

comment:2 Changed 7 years ago by dmethvin

Resolution: notabug
Status: newclosed

Hey there little <div>, what are you doing in a <tbody>? You are NOT supposed to be there! And what about you <tbody>, you aren't even in a <table>! Go find a <table>, silly <tbody>.

http://jsfiddle.net/2BBq6/1/

http://www.w3.org/TR/html401/struct/tables.html#h-11.2.3

comment:3 Changed 7 years ago by jiongmai@…

Since you put it that way, updated code to be a bit more compliant. Still a bug.

http://jsfiddle.net/2BBq6/2/

comment:4 Changed 7 years ago by dmethvin

My example worked fine in both IE8 and IE9. Please take it to the forum and debug it there.

comment:5 Changed 7 years ago by dmethvin

Also I should add that in general, inline event handlers are on jQuery's wontfix list since they are a security risk and extremely bad practice.

Note: See TracTickets for help on using tickets.